SSLClient::SSLClient(int sock, SSLClient::ERole role, const SSLConfig &ctx) throw(SocketConnectionClosed, SSLError) : SSLSocket(ctx), TCPSocket::TCPSocket(sock) { m_SSL = SSL_new(m_CTX); SSL_set_mode(m_SSL, SSL_MODE_AUTO_RETRY); m_BIO = BIO_new_socket(GetSocket(), BIO_NOCLOSE); SSL_set_bio(m_SSL, m_BIO, m_BIO); switch(role) { case SSLClient::CLIENT: if(SSL_connect(m_SSL) < 0) throw SSLError("Connect error"); break; case SSLClient::SERVER_FORCE_CERT: SSL_set_verify(m_SSL, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); case SSLClient::SERVER: { if(SSL_accept(m_SSL) < 0) throw SSLError("Accept error"); } break; } }
int SslOcspStapling::certVerify(OCSP_RESPONSE *pResponse, OCSP_BASICRESP *pBasicResp, X509_STORE *pXstore) { int n, iResult = -1; STACK_OF(X509) *pXchain; ASN1_GENERALIZEDTIME *pThisupdate, *pNextupdate; struct stat st; pXchain = m_pCtx->extra_certs; if (OCSP_basic_verify(pBasicResp, pXchain, pXstore, OCSP_NOVERIFY) == 1) { if ((m_pCertId != NULL) && (OCSP_resp_find_status(pBasicResp, m_pCertId, &n, NULL, NULL, &pThisupdate, &pNextupdate) == 1) && (n == V_OCSP_CERTSTATUS_GOOD) && (OCSP_check_validity(pThisupdate, pNextupdate, 300, -1) == 1)) { iResult = 0; updateRespData(pResponse); unlink(m_sRespfile.c_str()); rename(m_sRespfileTmp.c_str(), m_sRespfile.c_str()); if (::stat(m_sRespfile.c_str(), &st) == 0) m_RespTime = st.st_mtime; } } if (iResult) { setLastErrMsg("%s", SSLError().what()); ERR_clear_error(); if (m_pHttpFetch) m_pHttpFetch->writeLog(s_ErrMsg.c_str()); } return iResult; }
int SecureSocketImpl::Connect(const char *host, unsigned short port) { int ret = PlainSocketImpl::Connect(host, port); if (ret != 0) return ret; m_pimpl->ssl = SSL_new(s_sslContext); if (m_pimpl->ssl == 0) throw SSLError("Could not initialize socket SSL context"); SSL_set_fd(m_pimpl->ssl, static_cast<int>(GetDescriptor())); ret = SSL_connect(m_pimpl->ssl); if (ret < 1) throw SSLError("Could not establish a secure connection"); return 0; }
TCPSocket *SSLClient::shutdownSSL(SSLClient *c) throw(SocketConnectionClosed) { switch(SSL_shutdown(c->m_SSL)) // Sends a shutdown notice { case 0: if(SSL_shutdown(c->m_SSL) != 1) // Waits for the answer throw SSLError("The peer didn't answer our \"close notify\""); break; case 1: // Ok break; default: throw SSLError("SSL_shutdown returned -1"); break; } return new TCPSocket(Socket::Unlock(c)); }
void SSLSocket::Init() throw(SSLError) { bool bInit = false; if(!bInit) { if(!SSL_library_init()) throw SSLError("Couldn't initialize OpenSSL"); SSL_load_error_strings(); bInit = true; } }
SecureSocketImpl::SecureSocketImpl(const AbortIndicator & abortIndicator) : PlainSocketImpl(abortIndicator) , m_pimpl(new Impl) { m_pimpl->ssl = 0; Util::ScopedLock lock(s_cs); if (s_sslRefs == 0) { s_sslContext = SSL_CTX_new(SSLv23_client_method()); if (s_sslContext == 0) throw SSLError("Could not initialize SSL context"); } s_sslRefs++; }
SSLSocket::SSLSocket(const SSLConfig &ctx) throw(SSLError) { m_CTX = SSL_CTX_new(SSLv23_method()); if(m_CTX == NULL) throw SSLError("Can't create a SSL_CTX object"); if(ctx.m_sCertChainFile != "") { if(!SSL_CTX_use_certificate_chain_file(m_CTX, ctx.m_sCertChainFile.c_str())) throw SSLError("Can't read trusted certificate file"); } if(ctx.m_bAskForPasswd) SSL_CTX_set_default_passwd_cb(m_CTX, password_ask_cb); else if(ctx.m_sPasswd != "") { SSL_CTX_set_default_passwd_cb_userdata(m_CTX, (void*)&ctx.m_sPasswd); SSL_CTX_set_default_passwd_cb(m_CTX, password_cb); } if(ctx.m_sCertChainFile != "") { if(!SSL_CTX_use_PrivateKey_file(m_CTX, ctx.m_sCertChainFile.c_str(), SSL_FILETYPE_PEM)) throw SSLError("Can't read trusted certificate file"); } if(ctx.m_sCAList != "") { if(!SSL_CTX_load_verify_locations(m_CTX, ctx.m_sCAList.c_str(), 0)) throw SSLError("Can't read CA list"); #if OPENSSL_VERSION_NUMBER < 0x00905100L SSL_CTX_set_verify_depth(m_CTX, 1); #endif } if(ctx.m_sCipherList != "") SSL_CTX_set_cipher_list(m_CTX, ctx.m_sCipherList.c_str()); if(ctx.m_sCertificateFile != "") { if(!SSL_CTX_use_certificate_file(m_CTX, ctx.m_sCertificateFile.c_str(), SSL_FILETYPE_PEM)) throw SSLError("Can't read own certificate file"); } if(ctx.m_sPrivatekeyFile != "") { int type; switch(ctx.m_ePrivatekeyType) { case SSLSocket::PEM: type = SSL_FILETYPE_PEM; break; case SSLSocket::ASN1: type = SSL_FILETYPE_ASN1; break; } if(!SSL_CTX_use_PrivateKey_file(m_CTX, ctx.m_sPrivatekeyFile.c_str(), SSL_FILETYPE_PEM)) throw SSLError("Can't load private key file"); } }
void SSL_ciphernames(MCExecPoint &ep) { #ifdef MCSSL // MW-2004-12-29: Integrate Tuviah's fixes static char sslcipherlist[] = "bf,128\nbf-cbc,128\nbf-cfb,128\nbf-ecb,128\nbf-ofb,128\nblowfish,128\ncast,128\ncast-cbc,128\ncast5-cbc,128\ncast5-cfb,128\ncast5-ecb,128\ncast5-ofb,128\ndes,64\ndes-cbc,64\ndes-cfb,64\ndes-ecb,64\ndes-ede,128\ndes-ede-cbc,128\ndes-ede-cfb,128\ndes-ede-ofb,128\ndes-ede3,192\ndes-ede3-cbc,192\ndes-ede3-cfb,192\ndes-ede3-ofb,192\ndes-ofb,64\ndes3,192\ndesx,192\ndesx-cbc,192\nrc2,128\nrc2-40-cbc,40\nrc2-64-cbc,64\nrc2-cbc,128\nrc2-cfb,128\nrc2-ecb,128\nrc2-ofb,128\nrc4,128\nrc4-40,40\nrc5,128\nrc5-cbc,128\nrc5-cfb,128\nrc5-ecb,128\nrc5-ofb,128"; isfirstcipher = True; ep.clear(); if (!InitSSLCrypt()) { char sslerrbuf[256]; SSLError(sslerrbuf); MCresult->copysvalue(sslerrbuf); } else OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, list_ciphers_cb, &ep); #else // MW-2013-01-15: [[ Bug 10631 ]] Make sure we clear the return value if no // SSL! ep . clear(); #endif }